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Abstract 

Different chaos synchronization based encryption schemes are reviewed and compared from the 
practical point of view. As an efficient cryptanalysis tool for chaos encryption, a proposal based 
on the Error Function Attack is presented systematically and used to evaluate system security. We 
define a quantitative measure (Quality Factor) of the effective applicability of a chaos encryption 
scheme, which takes into account the security, the encryption speed, and the robustness against 
channel noise. A comparison is made of several encryption schemes and it is found that a scheme 
based on one-way coupled chaotic map lattices performs outstandingly well, as judged from Quality 
Factor. 
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I. INTRODUCTION 



Chaotic systems and conventional cryptosystems share many common properties, such 
as the sensitivity to initial conditions and parameters Jiigh complexity and unpredictabil- 
ity, stochastic and random- like behaviors, and so on 1]. Shanon, in his seminal paper of 
cryptography, wrote [2]: "In a good mixing transformation ... functions are complicated, 
involving all variables in a sensitive way. A small variation of any one (variable) changes 
(the outputs) considerably." These requirements, which are also known as the diffusion and 
confusion properties in conventional cryptography theory, are just some of the fundamental 
characteristics of chaotic dynamical systems widely studied in the last several decades. It is 
indeed a celebrated property of chaotic systems that they can produce highly complex signals 
while having relatively simple system structures. Whereas the conventional cryptography 
is mainly based on some particular algebraic or number-theoretic operations, chaos-based 
cryptography depends entirely on some physical laws, this makes chaos cryptography not 
only easy to formulate and analyze in theory, but also simply to design and operate in ap- 
plications. Because of these advantages, chaos encryption has been an extremely popular 
topic of investigation, pursued in recent years by researchers from different fields. 

The conventional cryptography works on discrete-value systems while chaotic cryptog- 
raphy works on continuous-value systems. Because of this, the early attempts in this field 
mainly focused on using chaotic systems as pseudo-random number (PN) generators in 
discrete- value implementations [3]. Later, different encryption algorithms were developed 
based on the different properties of chaos: algorithms that build upon discretization and 
mapping, ergodicity, perturbation and control, targeting, alphabet units portion etc., have 
been proposed for different purposes j^. Each algorithm has its special characteristics and 
can be well utilized under certain restrictions. In 1990, Pecora and Carroll published the 
irst paper on chaos synchronization and assumed its application in secure communication 
^. From then on, chaos synchronization based encryption (CSE) has been a hot topic both 
in theory and in applications ^, Q, • Comparing with other algorithms, the CSE algorithm 
is advanced in many aspects. Firstly, the well developed theory of chaos synchronization 
provides a solid basis for its feasibility and performance analysis. Secondly, experiments 
show that chaos synchronization can be robust and easily realizable in applications. Finally, 
it is easy to synchronize high- dimensional chaotic systems constructed by coupling or cas- 
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cading low- dimensional systems, which has been used as a standard method for generating 
highly complex signals in practical operations. As a result, different encryption schemes 
based on the idea of CSE, such as chaos masking, chaos key shifting and chaotic modulation 
etc., have been proposed in recent years. 

Initially, chaos encryption was implemented on low-dimensional chaotic systems both 
theoretically and experimentally. These encryption methods are reasonably fast, simple to 
implement, and have been assumed secure. However, various security flaws have been found, 
flaws that allow the private message to be extracted without a knowledge of the secret keys, 
or of the underlying dynamics [JQ, Q]. In order to overcome these drawbacks, recent 
developments have focused on hyperchaos systems which possess many positive Lyapunov 
exponents (LEs) and are more complex in dynamics. In particular, spatiotemporal chaos has 
been investigated widely for its excellent performance in correlations and spread spectrum 



multiple access communication 



12| |. However, while the early works on chaos encryption 



were discussed in the community of applied cryptography, recent works are almost exclu- 
sively considered inside the nonlinear systems community. Even a casual evaluation of these 
algorithms shows a lot of potential pitfalls and inherent drawbacks 

HQ. 

For a good 

practical encryption algorithm, security is not the only requirement; other properties such 
as encryption speed and error rate should be considered as well. Unfortunately, so far in 
the field of chaos encryption, most efforts are still directed at improving system security, 
with the other properties receiving little attention. In general, when the dimension of a 
chaotic system is increased, its encryption speed will suffer, and for a CSE system, the 
synchronization time will increase too. Together these will effect the system cost and the 
global performance in different manners. Therefore, it is necessary to analyze different chaos 
encryption schemes by taking all these crucial aspects into account. 

In this paper, we will analyze different chaos synchronization based encryption schemes 
from the application point of view. For each scheme, three properties: security, encryp- 
tion speed, and error propagation length (EPL), will be investigated and compared. We 
propose an efficient cryptanalysis method, the Error Function Attack (EFA) method, for 
the evaluation of chaos encryption systems. Moreover, we define a quantity, which we call 
the Quality Factor (QF), that allows us to compare the practical applicabilities of different 
cryptosystems. Based on the simulation results, we give a rough ranking of various chaos 
encryption schemes according to their feasibilities for application. 
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This paper will be arranged as follows. In Sec. II, we propose and analyze the EFA 
method in detail. We then evaluate the security of different chaos encryption schemes using 
the EFA method in Sec. Ill, and define the Quality Factor. Comparison of the different 
encryption schemes using the QF is presented in Sec. IV. A brief conclusion is then given 
in Sec. V. 



II. ERROR FUNCTION ATTACK 

A cryptosystem is usually designed in such a way that its security relies on as few as 
possible secrets expressed as keys, and it is also believed that a public- structure encryption 
system is more reliable than a secret one Q]. A fundamental assumption in cryptanalysis 
enunciated by Kerckhoffs in the nineteenth century is that the security of an algorithm must 
reside entirely on the key (the Kerckhoffs principle). According to this assumption, for a good 
encryption algorithm, if Eve (the eavesdropper) wants to extract the message transmitted 
between Alice (the transmitter) and Bob (the receiver), the only thing she needs to do is try 
to find out the secret key used; she will not need to spend time on extracting the system's 
structure. In contrast, most chaos encryption schemes do not observe this principle rigidly 
and the implementations try to hide everything from the public. This approach has many 
negative impacts both on the system safety and its commercial applications. 

Based on the requirement of public-structure encryption, there are four general types 
of cryptanalytic attacks, among them the known-plaintext attack is the most common one. 
In the real world, it is easy for an cryptanalyst to get some past plaintext messages that 
have been encrypted. Hence, when we evaluate the securities of chaos encryption schemes. 



vulnerability to the known-plaintext attack should be considered first In this paper, 

we will propose a known-plaintext and public-structure cryptanalysis method, the Error 
Function Attack (EFA), for the analysis of chaos encryption. Since the only thing Eve needs 
to do is to find out the secret key k, the most straightforward approach would be for her to 
try every possible key, k\ that Alice and Bob probably can use (the keyspace). This is the 
so called brute-force attack. By defining the EFA function 

e{k') = \DAC{t)) - P{t)\dt = \D,,{E,{Pm - P{t)\dt, (1) 

Eve can scan the whole keyspace to find out the proper key k' = k which satisfies e{k') = 0. 
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Here T represents the amount of data Eve will use, dt represents the length of each block 
of plaintext {P{t)) and ciphertext (C(t)), Ek{P) represents the encryption process and 
D^,i{C{t)) denotes the decryption process. 

For public-structure and known-plaintext attack, there are many well developed methods 
in conventional cryptanalysis, such as the linear attack and the differential attack. These 
methods have proved to be ineffective when used on chaos encryption systems As we 
mentioned in Sec. I, the basic difference between conventional cryptography and chaos 
cryptography is that the conventional encryption is defined on discrete sets and the chaos 
encryption is defined on continuous sets. This makes the keyspace behavior of chaotic 
systems very different from that of conventional systems Due to its continuous- value 

property, in chaos encryption systems keys that are not identical but are very close can still 
be used to synchronize the two systems very well, thus will form a key basin around the 
actual secret key . Il5l|. Because of this. Eve will not need to try all the keys in the 



keyspace; she can, according to the special characters of key basin, find some optimization 
method to systematically adjust the trial key k' untill k' = k. By this way, the cryptanalysis 
time can be greatly reduced. 

In addition to this, EFA also attacks the weakest part in chaos encryption systems - 
the nonchaotic receiver. Since the dynamics of the receiver is definitely not sensitive to the 
initial conditions and may not be sensitive to the parameter mismatch as well, it is much 
easier to attack the receiver than to attack the transmitter whose sensitivity depends on both 
parameters and initial conditions. Thus, as a public-structure and known-plaintext attack, 
EFA not only fully exploits the information of the known structure and known plaintext, but 
also enjoys the advantage of considerable keyspace reduction by attacking the nonchaotic 
receiver. 



III. EFA ANALYSIS ON DIFFERENT CHAOS ENCRYPTION SCHEMES 

For any encryption scheme, the most important evaluation is about its security. In 
Sec. II, we had mentioned that EFA has many advantages for cryptanalysis of chaos based 
encryption. In this section, we will employ this method to evaluate the security of some pop- 
ular encryption schemes. Specifically, the active-passive decomposition model, the piecewise 
linear function model, the time delay model, the noise driving sequential synchronization 
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model, and the one-way coupled map lattices model. All these models apply chaos syn- 
chronization and make use of high dimensional hyperchaos, i.e. they are assumed to have 
better security than low dimensional chaos. According to the requirement of the Kerckhoffs 
principle, we consider only systems with the public-structure, i.e., the entire dynamics is 
opened to the public except a single parameter which serves as the secret key. Meanwhile, 
we assume that the eavesdropper could obtain some past plaintext-ciphertext pairs, namely, 
we consider the public-structure and known-plaintext attack. EFA will be used for analyzing 
all these cryptosystems. 



A. Active-passive decomposition (APD) model 

Proposed in 1995 by Kocarev et al and later generalized widely, the active-passive decom- 
position (APD) model has been one of the most popular chaos encryption schemes studied 
during the past years This model has two important characteristics: (a) the message 
is not added directly to the chaotic carrier but drives the dynamical system constituting 
the transmitter; (b) the dimension of encryption system can be arbitrarily high by cascad- 
ing identical or different individual systems, and thus the APD model had been assumed 
with high security in early time. For the consideration of the public-structure and known- 
plaintext attack, each parameter in the equations can be regarded as a secret key in the 
APD model. Here we use cascaded Rossler systems investigated in Ref. Q] as our model: 

Transmitter: 

xi = 2 + xi{yi -4), 

= -xi - zi, (2) 
zi = yi + aisi, 

with 

si = zi + 0.25P, (3) 

and 



= 2 + Xi{yi-4), 



with 

= -^i + 0.25sj_i, i = 2,3, ....n. (5) 

Here P stands for the message to be transmitted privately and s„ represents the output 
ciphertext. All the parameters Oj, i — 1,2, ...,n, can be used as secret keys and are chosen 
carefully to keep the last oscillator staying within chaos. In order to simphfy the related 
analysis, we set P{t) = in Eq. (1) for each scheme investigated in this paper without losing 
generality. In fact, the APD model performs a multiple encryption process: the plaintext 
is first encrypted to Si by the first Rossler oscillator, then Si is regarded as the new input 
plaintext and encrypted to S2 by the second Rossler oscillator, and the same process repeated 
down to the last Rossler oscillator which generates s„ as the last output ciphertext. On the 
receiver side, the whole system is identical to the transmitter except the encryption process 
be reversed. 
Receiver: 



with 



and 



with 



X, 



2 + a^L(yl -4), 



—x„ — z„ 



Vn 

I 



(6) 



(7) 



2 + x,(y,-4), 
— — z^, 

y'i + a A, 



(8) 



n-l,n-2 1. 



(9) 



By setting a[ = ai, the receiver can be synchronized with the transmitter and the message 
can be recovered step by step using Eq. (9), and the original message will be recovered at 
the last oscillator by using P — {s[ — z[)/0.25. 
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Now we use EFA to analyze the key behavior of this encryption model. Setting aj = 
0.45, j = l,2,...n, the transmitter is spatiotemporally chaotic with n positive LEs. In 
our simulations we choose the most effective (For the APD model, systems are cascaded 
unidirectionally. The more last the parameter is, the more sensitive the decryption process 
will be, this is also verified by our numerical simulations.) parameter a„ the parameter 
of the last Rossler oscillator, as the secret key for encryptions and define the keyspace by 
keys that keep the last Rossler oscillator in the chaotic regime. For Eve, she has all the 
knowledge about the transmitter and the receiver except a„, and she also knows the range 
of the keyspace. Consequently, she can run the receiver, Eqs. (6)- (9), by choosing the trial 
key a'^ randomly within the keyspace, and calculate the corresponding error function results 
by using Eq. (1). In Fig. 1(a), we plot the key basin for the n = 2 APD model by using 
EFA 

6(4) = f J ^1*^4) -zi{a2) dt. (10) 

It is found that the whole keyspace G [0.44, 0.46] forms a single key basin, two straight 
lines with reversed slopes dominate the behavior of 6(03). The secret key a'^ = 02 = 0.45 is 
located at the minimum point 6(03 = 02) = 0. With this structure. Eve can find the correct 
key easily through some adaptive adjustments. For example. Eve can first try arbitrarily 
two trial keys in the keyspace, 03(1) and 03(2), and by comparing the respective values of e, 
she will know which direction she should be adjusting her next attempt. In our simulations, 
only 6 to 8 tests are needed to find the properly location of 02. Furthermore, by using 
the slopes, we can evaluate 02 proximately only by two trial keys. We refer to this kind of 
key basin as the triangle basin and the method for key searching mentioned above as the 
adaptive adjustment method (AAM). It is obvious that this model has no security against 
EFA. 

In order to investigate the relationship between the dimension and the security in this 
type of scheme, we also plot the key basins for n = 3,4, 5 in Fig. 1(b). As the dimension 
of the system increases, the key basin changes only in shape, but the structure of triangle 
basin still persists. This kind of basin structure can also be found in other APD based 



models, and in Fig. 2 we plot the related key basins for the model used in Ref. 13] • All 
parameters and dynamics of the systems are those of the original paper and the parameter 
in the equation of the first variable is chosen as the key. We find that no matter how high the 
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system dimension is (the dimension changes from 5 to 101 in our simulations), the triangle 
basin remains. (We should mention that as the system dimension is increased, we also see 
a longer transient time before the triangle basin becomes manifest.) Therefore, increasing 
the system size (i.e., the dimension of hyperchaos) does not lead to an increase in security 
for this encryption scheme. This result is rather surprising, and this behavior should be 
seriously considered whenever one hopes to reach high security by increasing the dimension 
of chaotic system, or say, by applying spatiotemporal chaos. 



B. Coupled piecewise linear function (CPLF) model 

For a long time, the piecewise linear function model has been another popular nonlin- 
ear model investigated extensively 3; Is^- There exists a well-developed theory of 
piecewise linear maps which generate uniformly distributed signals, and it is known that 
piecewise linear maps share nice properties of invariant measures, ergodicity and statistical 
independence In Ref. the authors proposed an efficient encryption scheme based 
on coupled piecewise hnear maps, and they declared that such cryptosystems not only enjoy 
high security, but also have an "immense parameter space" for key choosing even in lower 
dimensional encryption systems. Here we choose the five-dimensional system used there as 
our model and analyze its security by using EFA. The dynamics of the transmitter and the 
receiver can be written as: 

Transmitter: 

x^ik - 1) = fi[x3{k - 1)] + a^xXx{k - 1) + a^2^2{k - 1) + a53X3(A; - 1) 
■^a^iX^ik — 1) + k'jX2{k — 1) sin[A;8X3(A; — 1)], 
xi{k) = f^[x^{k-l)] + c-P{k), 

X2{k) = f3[x3{k - 1) + X4{k - 1)] + Xi{k) + a22X2{k - 1) + a23X3{k - 1) 

+a2AXi{k - 1) + kiX2{k - 1) sm[k2X3{k - 1)], (11) 
= Uix^ik - 1)] + a32X2{k - 1) + a33X3(A; - 1) + as^x^^k - 1) 
■^kj,xz{k — 1) sin[fc4a;4(A; — 1)], 

X4(A;) = a42X2(A; — 1) + auX4,{k — 1) + kK,Xi{k — 1) sm.[kQX2{k — 1)], 
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with the piecewise hnear map 

N 

fi{x)^Co + CiX + J2Dr\^-Ej\^ modx- (12) 



Receiver: 



x'4^{k) = a'^2^2{k - 1) + diiX^{k - 1) + k'^x^{k - 1) sm[k'QX2{k - 1)], 
= fA<{k - 1)] + a!^2^2{k - 1) + a'334(/c - 1) + a!^Mk - 1) 
+k'^x'^{k - 1) sin[fc4a;4(fc - 1)], 
x[{k) = X2{k) - fsix'^ik - 1) + ^(/c - 1)] - a22X2{k - 1) 

~<^23^3{f^ — 1) — a24x'4{k — 1) — k[x2{k — 1) sm[k2x'^{k — 1)], (13) 
x',{k - 1) = /([4(A; - 1)] + a',Mk - 1) + a'52X2(^ - 1) 

+a'^^x'^{k — 1) + a54a;4(/c — 1) + k''jX2{k — 1) sin[A;8a;3(A; — 1)], 
P\k) = {a;;-/^K(A;-l)]}/c. 

This is a dehcately designed cascaded system where the plaintext P is added to the first 
variable and influences all the other variables through couplings. The variable X2 serves as 
the ciphertext and also acts as the driver signal of the receiver for chaos synchronization. In 
the piecewise linear map fi{x), Ei < E2 < ...E^ are breaking points and Ci = |(mo + miv), 
Dj = |(mj— mj_i), Co are parameters used for model adjustment, and rrij is the slope for the 
jtli segment. In our simulations, we set N = 20, x = 100 ^-iid set Ej uniformly distributed 
in [0, x] so as to simplifying our analysis. We also set the slope rrij = N x > 1 so 

that the system stays within the chaotic regime. With Cq — —50, the function of one single 
piecewise linear map is plotted in Fig. 3(a). 

In this cryptosystem, all coupling parameters and parameters in each map function can 
be used as secret keys. Here we use the most sensitive parameter 044 as the secret key and 
keep all the other parameters public. According to the requirement of convergence we fix 
the whole parameter set as 

022 = 0.1, 023 = -0.09, 024 = 0.1, 032 = 0.1, 033 = 0.1, 034 = 0.2, 
042 = -0.23, 051 = 0.1, 052 = 0.3, 053 = 0.1, 054 = 0.31, 

Cl = 0.06, C2 = 3.4, C3 = 0, C4 = 12.9, Cg = 0.378, Ce = -0.99, (14) 

C7 = 0.001, cg = 1. 
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For 044 = —0.89, we plot in Fig. 3(b) the key basin for 044 by using the EFA 

e(^') = ^Eim-nfc')l- (15) 

k=l 

It is found that there exists a key basin a'^^ G [—0.895, —0.885] which occupies a parameter 
interval of order 10^^ around the actual secret key. Compared with the entire keyspace 
^44 ^ —0.75], which is of the order of 10~^, it is still an relatively easy job to expose the 
secret key. For example, in order to attack this system. Eve can divide the whole keyspace 
into some key basin sized intervals, then test a few trial keys in each intervals to find where 
the actual key basin is located. Once this interval is identified. Eve can the focus her 
searching in this basin and determine the secret key by AAM as used for the APD model. 
For the above mentioned five-dimensional model, we can extract the secret key within 200 
tests, a considerably reduced searching time in comparison to the brute-force attack which 
needs about 10^^ tests Q]. 

Although still not quite secure enough, the security of the CPLF model has been improved 
greatly compared to the APD model. Moreover, the security of CPLF can be considerably 
improved by increasing the number of modulo operations. With all other parameters un- 
changed, we plot in Fig. 3(c) and (d) the EFA results for Cq = (the function of one single 
piecewise linear map shown in Fig. 3(a) is divided into two separate parts this time) and 
rrij = lOx N X , respectively - both settings increase the number of modulo operations. 
It is apparent that the system security is significant improved. 



C. Delay-differential equations (DDE) 

The time delay system employing delay-differential equations is an efficient model for 
constructing high dimensional hyperchaos. Its dynamics structure is rather simple, but its 
sequences can be very complex j2l|. Besides, DDE can be easily implemented in electronic 
systems j^]- Comparing with other hyperchaotic systems, DDE has some special advan- 
tages for encryption. First of all, DDE is an infinite dimensional dynamics with a high 
dimensional attractor with many positive LEs; these guarantee high complexity of its out- 
put signals. Secondly, the complexity and the number of positive LEs can be controlled 
easily by adjusting the delay time r. In these systems, we do not need to worry about the 
problem of weak keys, since the system will always be chaotic and the number of positive 
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LEs will increase linearly, once r exceeds the critical value. Finally, synchronization between 
DDE has been established and proved to be robust 2^. Therefore, DDE has been a popular 
model for encryption in both theoretical and experimental investigations 

For this kind of cryptosystems, the delay time r is the most suitable choice for the secret 
key. Here we employ the Mackey-Glass DDE (MG DDE) cryptosystem used in Ref. j3| 
as our model and analyze its security by EFA. The dynamics of the transmitter and the 
receiver are 

Transmitter: 

dx(t) , , , ax(t — t) , , , 

receiver: 

^ = -by it) + + m - y{t)], (17) 

with 

s{t)=x{t) + tP{t). (18) 

It was shown that with parameters h = 0.1, a = 0.2, and c = 10, the above system will 
always be kept in the chaotic regime for r > 16.8. For r = 300, there are altogether 15 
positive LEs and the system dimension is about 30. As r increases, both the number of 



positive LEs and the Kaplan- Yorke dimension increase |2j|. In our simulations, we consider 
the keyspace with the range t' e [150, 450] and choose r = 300 as the actual secret key. The 
key basin is plotted in Fig. 4 using the EFA 



e(r') = ^^ \xr{t)-yr'{t)\dt, (19) 

In this case, the key basin is the range r' G [230, 340], and considering the O(IO^) size of the 
entire keyspace, it is obviously an easy job to determine the secret key by AAM as in the 
cases discussed above. 



D. Noise driven sequential synchronization (NDSS) model 



A hierarchically structured cryptosystem is proposed recently [27[, employing sequen- 
tially synchronized chaotic systems. Sequential synchronization is attained by first feeding 
a noiselike signal to a variable of the first transmitter and its receiver simultaneously and 
then feeding a variable of the first transmitter and its receiver to a variable of the second 
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transmitter and its receiver, respectively, and repeating the feedings of successive variables in 
sequence. Plaintext is added directly to the variables to form the ciphertext on the transmit- 
ter side, and is recovered by synchronization on the receiver side. This is different from the 
encryption schemes mentioned above, as the plaintext here is not involved in the dynamics. 
Such an encryption scheme appears to have high security, which can be enforced selectively: 
different users can maintain different security levels according to the synchronization level 
that can be reached. Here we consider the cryptosystem composed of one Navier-Stokes 
oscillator and one Lorenz oscillator, as used in Ref. [27 1, with both the transmitter and the 
receiver sharing the same dynamics, 

X = -1.9x + 4[aiy + /3 J {t)]z + 4uv, 

y = -7.2[aiy + PJit)]+3.2xz, 

z = -4,7z -7.0x[aiy + l3J{t)] + k, 

u = —5.3u — XV, 

V = —V — S.Oxu, (Navier-Stokes) (20) 

p = a[{a2q + (32z) - p], 

q = cp- {a2q + I32z) - pr, 

r = p{a2q + ^2^) ~ (Lorenz) 

where ai, ^2, /3i and are the couplings, /(t) is the noise signal which reads 

f{t) = 50^ sin[27r x 0.8(^ + ^')t] (21) 

where ^ and ^ are pseudorandom numbers within (0, 1). 

With the parameters k, a, c, and b taken to be 36, 10.0, 28.0, and 8/3, respectively, for 
ai = 1.2, Pi = 0.9, a2 = 0.9, and = 22.5, both the transmitter and the receiver Exhibit 
chaotic behavior but can be synchronized. For public-structure and known-plaintext attack, 
we choose the parameter = 36 in the Navier-Stokes equations as the secret key and 
consider the keyspace k' G [35,37], where the whole system stays in the chaotic regime 
and synchronization between the transmitter and the receiver can be achieved. In our 
simulations, we choose the variables v and r as the carriers, and use the EFA 

e{k') = ^ j^^ \v'{k')-v{k)\dt, (22) 
13 



and 

e{k') = ^£\r'ik')-rik)\dt. (23) 

The key basins are plotted for the Navier-Stokes system and the Lorenz system in Fig. 5(a) 
and Fig. 5(b), respectively. Again we find the triangle basin in the Navier-Stokes system, 
with a similar one for the Lorenz system, except with a little distortion. (This appears to 
be typical for every variable in this system chosen as the secret key.) The conclusion is 
clear: the secret key can be easily determined using AAM just as in the cases that we have 
discussed, and the claim for high security does not seem to be justified. From the results 
of our simulations, we do not see any improvement with more complicated coupled chaotic 
systems. 



E. One-way coupled map lattices (OCML) 

For a long time, coupled map lattices (CML) have been used to inve stig ate the complex 
behavior of spatiotemporal chaos in many fields of nonlinear science j2S|. Recently, this 
kind of system has been utilized for secure communication in a number of encryption al- 

_) is extensively used for 
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gorithms. In particular, the one-way coupled map lattices (OCM! 
self-synchronizing, spatiotemporal chaos-based cryptosystems 

The earlier works on OCML inherited the classical ideas of chaos encryption: they re- 
garded OCML as a special spatiotemporal chaos system with inherent high computational 
complexity and yet amendable to easy analysis j29j. Later, modified OCML models were 
proposed to make the systems more feasible for encryption application. These modifications 
include the adoption of self-synchronization, the use of binary sequences more suitable for 
dwta, _cat.ons ,12) . and the application of ,nodu,o operations to improve the system 
security etc. Further studies show that OCML ciphers can be improved to have not only 
competitive security when compared against conventional ciphers, but also respectable en- 



cryption speed and low bit error j30|. In the following, we shall mainly evaluate the property 
of security in a OCML system by employing the EFA. 

We use a modified two-dimensional OCML encryption system recently proposed in Ref. 



if as our model. The transmitter is comprised of two parts: the first part is a one- 
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dimensional OCML with m coupled lattices, 



Xo{n) = SN/2,N/2{n)/2'", 
xi{n + 1) = (1 - e)fi[xj{n)] + £fi-i[xi^i{n)], 
fi{x) = aix{l-x), / = l,2,...m, 



(24) 



while the second part is a two-dimensional OCML driven by the first part through lattice z, 

z{n + l) = {l-£)f[z{n)]+efm[xm{n)], 

Vofiin) = z{n) X 2^" mod 1, 

yifi{n + l) = {1- e)f[yifi{n)]+ef[yo,oin)], 

?/o,i(n+l) = (1- e)f[yo,iin)]+ef[yofi{n)], 

y,,o{n + 1) = (1 - £)/[aoH] + £{0.8/[y,_i,o(n)] + 0.2/[y,_2,oH]}, t = 2, ..N, (25) 

yoj{n + 1) = (1 - s)f[yoAn)] + e{0.2f[yo,,-i{n)] + 0.8/[yo,,_2(^)]}, J = 2, ..N, 

y,,,in + 1) = (1 - 6)f[yi,,in)] + 6{0.5f[y,^,,,in)] + 0.5f[y,,,^,{n)]}, 2<t+j<N, 

f{x) = 4x(l — x). 

The output ciphertext reads 



The dynamics of the receiver is identical to that of the transmitter. When the two systems 
are synchronized, messages can be recovered by the reverse process of Eqs. (26). The 
detailed explanation on the structure of Eqs. (25) and Eqs. (26) is found in Ref. Isi], 
and in this work we shall focus on analyzing its security and other encryption properties. 
For this cryptosystem, the parameters a/, Z = 2,3, ...m, can be used as the secret keys. In 
the following simulations, we set the parameters N = 6, m = 3, e = 0.99, h = 26, rj = 60, 
V = 30, ai = 3.9, / = 2, 3, ...m, and choose just one parameter (just as we did for the previous 
four models), ai, as the secret key. Except for the lattice ?/o,0; each lattice in the second 
part can be used as an encryption unit, thus significantly enhancing the encryption speed. 
(With the above settings, for example, the system can generate a total of 25 sequences 
simultaneously.) Moreover, the modulo operations used in Eqs. (25) and Eqs. (26) also 



Sij{n) = [Kij{n) + P,,,{n)] mod 2^ 
Kij{n) = {mt[y,j{n) x 2'']} mod 2^ 2<i + j<N. 



(26) 
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serve to greatly improve the system security. This is therefore a system that potentially has 
both high security and fast encryption speed. 

With the requirement of public-structure and known-plaintext, we study system's key 
basin by using the EFA 

eij(ai) = \Ki,j,aM) - K,j,a'S^) . (27) 

ra=l 

with K[- ^ representing the corresponding output in the receiver for the trial key In Fig. 
6 we plot the simulation results for 63,3 with the secret key chosen as a\ = 3.9. The key basin 
is observed to be within the range [3.9 — 4 x 10~^^, 3.9 + 4 x 10"^^]. Since the whole keyspace 
for this kind of system is at least within range a[ G [3.6,4.0], it needs at least 10^^ tests to 
determine the correct secret key using EFA. We have also investigated through simulations 
the key basins for other output sequences Sij, and found that the widths of the key basins 
typically range from 10^^^ to 10^^^, depending on where the output lattice is located. This 
suggests that any one output sequence is a good candidate for encryption. In comparison 
with other four models mentioned above, this model appears to possess much higher system 
security. 

IV. QUALITY FACTOR 

In conventional cryptography, three criteria are commonly considered when designing an 
effective and applicable cryptosystem: security, the encryption speed, and the error rate 
uM. For chaos based encryption, relatively little attention has been paid to the latter two 

nnn 

criteria which are intimately linked to the attempts to achieve greater security. 

First of all, security of a cryptosystem depends mainly on its dimension: the higher the 
dimension, the more complex the signal it can generate. However, high dimensional systems 
usually incur greater encryption time cost in both software and hardware implementations. 
Obviously there will have to be a trade-off between these two in considering the realistic 
application of a system. Furthermore, higher system security usually implies higher system 
sensitivity, and this brings about another problem for chaos encryption, name the system 
stability. Both the encryption systems and the communication channels can be disturbed 
unavoidably for various reasons like intentional attacks or unintentional perturbations). The 
system sensitivity of a high security system will amplify these disturbances rapidly. This 
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is particularly problematic for chaos synchronization based cryptosystems which have to 
spend a certain time to eliminate these disturbances before any correct communication can 
be accomplished. All these highlight the relevance of considerations beyond just system 
security in evaluating the overall performance and applicability of any given encryption 
scheme. In this section, we will analyze the encryption models used in Sec. Ill by studying 
their performance in all the three aspects mentioned above, and compare their advantages 
and drawbacks from the point of application. 

Before going further, we need to give the security a quantitative description. Based on 
the analysis of EFA, there always exists a key basin around the actual secret key. Without 
the knowledge of this basin, one may not be able to extract the secret key by brute-force 
or other means of searching. We define the key basin width, denoted by lu, by the distance 
between two trial keys located on the two sides of the key basin, which exceeds the average 
EFA result of the entire keyspace (see the marked regions in Fig. 3(b), Fig.4, and Fig. 6). 
Here, we call the number of intervals (which are potential key basins) with this width in 
the whole keyspace as the key number. (For different choices of the secret key, there can be 
small differences in the basin widths.) The security of the system is broken as soon as the 
actual key basin is exposed, since the searching cost of extracting the secret key then once 
is negligible. This motivates us to define the security of a cryptosystem as the entropy of 
the key number ^| 

S = log2 (28) 

w 

with K denoting the length of the entire keyspace and ^ being the key number. 

We define the amount (megabit) of data that can be encrypted in each second as the 
encryption speed, denote it by V. The number L of bits that are affected when one bit is 
in error in the ciphertext is defined as the error propagation length (EPL). Our simulation 
study is based on software implementation, and treat each variable as a 8-byte (i.e. 64-bit, 
double precision, real) data. In computing the EPL, random perturbation is added within 
the range of the output signals, and the average over 1000 runs is taken. 

As we had emphasized above, there exist some trade-off relations between security, en- 
cryption speed and EPL, so from the point of application, we need to strike a balance between 
these aspects so as to obtain a better overall performance. In this paper, we represent this 
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balance by the Quality Factor, which we define as 

B ^ ^. (29) 

Although this definition may not refiect the precise relationship in real applications, the 
Quality Factor does parameterize the interplay of the factors affecting the overall perfor- 
mance of a cryptosystem in a concrete and reasonable way. but it can fairly well reflect some 
basic properties for evaluating system's overall performance. We find the following results 
for the different encryption models discussed in Sec. Ill: 





APD 


CPLF 


DDE 


NDSS 


OCML 
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logal 


l0g2 103 


log2 101 


logal 


log2 10" 
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31.6 
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24.5 


22.6 


216.7 
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1737 


681 


719 


2213 


22 


B 





0.041 


0.113 
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The above results are obtained on SGI OCTANE workstation (two 195MHZ 1P30 CPU 
256M RAM, FortranQO compiler). We have also carried out computations on other work- 
stations and compilers and obtained qualitatively similar results. For the simulations, we 
choose the parameters as for Fig. 1(a) for the APD model. Fig. 3(a) for the CPLF model. 
Fig. 4 for the DDE model. Figs. 5(a) and (b) for the NDSS model, and Fig. 6 for the 
OCML model, respectively, so as to maximize the overall performance for each scheme. 

Based on the above table, we wish to make the following observations. 

1. From the security point of view, the OCML and CPLF models perform much better 
than the other models. This is mainly due to the modulo operations employed in 
these two schemes. The modulo operation disposes the most significant digits in the 
signals and keep only those less significant digits, making the systems more sensitive 
to the key values. As verification, we have also tried applying modulo operations on 
the output signals of the NDSS model (the same parameters as in Figs. 5(a) and (b)), 
and the related EFA results are plotted in Fig. 7(a) and (b) for the Navier-Stokes 
system and the Lorenz system, respectively. The improvement in the system security 
is obvious. 

2. The OCML model possesses excellent encryption speed due to its simple functions and 
multiple outputs. In our simulation, we find that although the modulo operation can 
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improve appreciably the system security greatly, it is also a time-consuming function. 
This is largely responsible for the low encryption speed of the CPLF model. In con- 
trast, the 25 simultaneous outputs and the simplicity of the mapping functions more 
than compensate for the extra processing time linked to the modulo operations. 

3. Finally, from the results on the EPL, it is clear that lower dimensional, mapping 
systems perform better than high-dimensional, differential systems. Moreover, systems 
with multiple outputs but with only one as the driving signal has a clear advantage in 
EPL performance. While the errors in the transmitted bits of the driving signal are 
responsible for the EPL, the remaining nondriving ciphertext bits do not give rise to 
such a problem, i.e., one bit error of the transmitted ciphertext causes only one bit 
error in the received plaintext. Together with the two dimensional structure design and 
strong couplings, these features give the OCML model an outstanding performance as 
far as EFL is concerned. 



V. CONCLUSION 



In this paper, we proposed an efficient cryptanalysis tool, the EFA method, to study the 
security of some well-known chaos encryption schemes. Our systematic comparison suggests 
that even models (such as the APD and NDSS models) with high dimensionalities (and hence 
the supposed higher security) fail to maintain their security under the EFA. We are also of 
the opinion that in addition to security consideration, there arc other important aspects 
of cryptosystems which affect their overall Performance. More specifically, we consider, 
additionally, the encryption speed and the error propagation Length, and suggest in this 
paper a quantity (the Quality Factor) as a possible measure of the overall performance, or 
applicability, of chaos-based cryptosystems. Through comparisons, we find that the modified 
OCML model has the best overall performance among the models considered, and some the 
reasons responsible for this performance are briefly discussed. 
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Figure Captions: 

Fig. 1 (a) Key basin of a'2 for the APD model composed of two coupled Rossler oscillators, 
02 = 0.45 is chosen as the secret key. (b) Key basin of 03, 04, and a'g for APD models with 



1^ 



3, 4, and 5 coupled Rossler oscillators, respective 
Fig. 2 Key basins for the model used in Ref. 17 1. 

Fig. 3 The coupling 044 in Eqs. (11) is chosen as the secret key. (a) Map of CPLF for 
Co = -50 and = 20 x j = 1,2,..., 20. (b) Key basin of CPLF model with the same 
parameters as for (a), (c) Key basin for Cq = 0, and, (d) key basin for rrij = 10 x 20 x "^^^ i 
j = 1,2,..., 20, other parameters being the same as for (a). 

Fig. 4 Key basin for the DDE model, with b = 0.1, a = 0.2, and c = 10. For The secret 
key r = 300, there are 15 positive LEs and system dimension is about 30. 

Fig. 5 The secret key A; = 36 is chosen here, and the difference between the trial key k' 
and the secret key k, Ak = k' — k, is used as variable for the horizontal axis, (a) The key 
basin for the Navier-Stokes system, (b)The key basin for the Lorenz system. 

Fig. 6 The key basin for the OCML model with the chosen secret key Oi = 3.9. The 
variable for the horizontal axis is the difference between the trial key a'l and the actual secret 
key ai, Aa = a\ — ai. 

Fig. 7 The key basins after the introduction of modulo operations for (a) the Navier- 
Stokes system and (b) the Lorenz system, respectively. The parameters are the same as for 
Fig. 5 
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